Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1402
Views
0
Helpful
1
Replies

Firepower Inspection Loop causing 30+ Phases

christianh98114
Level 1
Level 1

‎08-01-2021 01:36 PM - edited ‎08-01-2021 01:46 PM

Hello,

 

I've recently noticed that when packet tracing Outbound traffic, Firepower appears to loop over certain phases that have already been completed, causing a much larger number of steps than expected. I'd like to know if this is a normal occurrence or if I've misconfigured something on my end.

 

For context, FTD Version: 7.0.0 Build 94, FMC Version: 7.0.0 Build 94.

 

Here is a packet-tracer output for pinging 1.1.1.1 from an internal client.

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop [WAN-GW] using egress ifc Outside(vrfid:0)

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.x.x using egress ifc Inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435 
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435 
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 9
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 10
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435 
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 14
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 15
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232

Phase: 16
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 17
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 18
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435 
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 19
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 20
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232

Phase: 21
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 22
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 23
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435 
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 24
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 25
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232

Phase: 26
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 27
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 28
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 29
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 30
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 31
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 32
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 33
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 34
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 1339165, packet dispatched to next module

Phase: 35
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 36
Type: SNORT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Snort Trace:
00:00:00:00:00:00 -> XX:XX:XX:XX:XX:XX 0800
192.168.x.x:0 -> 1.1.1.1:0 proto 1 AS=0 ID=1 GR=1-1
Packet 3776304: ICMP, 08/01-20:17:04.124291, Type: 8 Code: 0 
Session: new snort session
AppID: service: ICMP(3501), client: (0), payload: (0), misc: (0)
Firewall: allow rule, id 268434435, allow
Policies: Network 0, Inspection 0, Detection 4
Verdict: pass
Snort Verdict: (pass-packet) allow this packet

Phase: 37
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop [WAN-GW] using egress ifc Outside(vrfid:0)

Phase: 38
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop [WAN-GW] on interface Outside
Adjacency :Active
MAC address XXXX.XXXX.XXXX hits 0 reference 170

Result:
input-interface: Inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

Any help would be greatly appreciated!

Labels:
0 Helpful
1 Reply 1

christianh98114
Level 1
Level 1

‎08-01-2021 01:45 PM

Quick Update: I forgot to mention this occurs for real traffic AND packet-tracer traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card